Victor Sudakov wrote:[color=blue]
> Colleagues,
>
> If a server is known by several names in DNS, how can I make GSSAPI
> authentication work with all those names?
>[/color]

What's the real question? This is about the PTR records?

Danny

12-02-2007, 06:32 AM

unix

Re: Kerberos 5 and DNS aliases

Danny Mayer wrote:[color=blue][color=green]
> >
> > If a server is known by several names in DNS, how can I make GSSAPI
> > authentication work with all those names?
> >[/color][/color]
[color=blue]
> What's the real question?[/color]

Here is the real question.

I have created a principal for each of the several names, and placed
these principals' keys into the destination server's keytab. However
when I try to ssh into this server, GSSAPI auth works only for one of
these names, actually the name which is equal to the server's `hostname`.
I can even choose which name will work, by changing the server's
`hostname`. But only one name at a time will work.
[color=blue]
> This is about the PTR records?[/color]

I really do not know why the above setup does not work as I expect.

If the matter is really about PTR records, please elaborate. I have
never known that Kerberos uses PTR records in any way.

I don't know the answer here, but anyone replying should note that
this means Victor is using Heimdal, not MIT Kerberos.

-GAWollman
--
Garrett A. Wollman | The real tragedy of human existence is not that we are
[email]wollman@csail.mit.edu[/email]| nasty by nature, but that a cruel structural asymmetry
Opinions not those | grants to rare events of meanness such power to shape
of MIT or CSAIL. | our history. - S.J. Gould, Ten Thousand Acts of Kindness

12-02-2007, 08:52 AM

unix

Re: Kerberos 5 and DNS aliases

On 2 Dec 2007, at 06:32, Victor Sudakov wrote:
[color=blue]
>
> I have created a principal for each of the several names, and placed
> these principals' keys into the destination server's keytab. However
> when I try to ssh into this server, GSSAPI auth works only for one of
> these names, actually the name which is equal to the server's
> `hostname`.
> I can even choose which name will work, by changing the server's
> `hostname`. But only one name at a time will work.[/color]

The GSSAPI library is canonicalising the name passed to it, by doing
a forwards, then a reverse lookup in the DNS to obtain the fully
qualified hostname of the machine which you are connecting to. Recent
MIT releases provide a means of disabling this canonicalisation, but
I'm not sure about Heimdal.

Simon.

12-02-2007, 09:51 AM

unix

Re: Kerberos 5 and DNS aliases

Simon Wilkinson wrote:[color=blue][color=green]
> >
> > I have created a principal for each of the several names, and placed
> > these principals' keys into the destination server's keytab. However
> > when I try to ssh into this server, GSSAPI auth works only for one of
> > these names, actually the name which is equal to the server's
> > `hostname`.
> > I can even choose which name will work, by changing the server's
> > `hostname`. But only one name at a time will work.[/color][/color]
[color=blue]
> The GSSAPI library is canonicalising the name passed to it, by doing
> a forwards, then a reverse lookup in the DNS to obtain the fully
> qualified hostname of the machine which you are connecting to.[/color]

If so, why does the available name depend on the `hostname` setting
without any change in the DNS?
[color=blue]
> Recent
> MIT releases provide a means of disabling this canonicalisation, but
> I'm not sure about Heimdal.[/color]

Does a ssh client really pass any server name to sshd during GSSAPI
negotiation?